JP2003023418A - Mobile communication dynamic secure grouping system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a mobile communication dynamic secure grouping system in a mobile communication system, that can securely and quickly update a group key, when the group configuration is subjected to changes. SOLUTION: When the group configuration is subjected to changes, such as addition of members and fusion of groups, a base station creates a new group key. The base station divides a group into a plurality of virtual sub groups. Each member, belonging to each sub group, shares a sub group key by the BD(Bermester-Desmedt) method. The base station encrypts the new group key by the sub group key and distributes an encrypted text to each member of the group. Each member belonging to the group uses the sub group key to decrypt the encrypted text, thereby obtaining the group key.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a mobile communication dynamic secure grouping system, and more particularly to a group key in a mobile communication system when a plurality of members forming a group share a group key and dynamically change. The present invention relates to a mobile communication dynamic secure grouping method for updating safely and quickly.

[0002]

2. Description of the Related Art As a method of sharing a group encryption key,
The BD method is known. Document 1 [M. Bermester, Y. Desmedt; A secure and
efficient conference key distribution system “EUR
OCRYPT'94 ”May 1994] and Japanese Patent Laid-Open No. 2001-94544“ Mobile communication encryption key distribution method ”. Further, the present inventor has proposed a “mobile communication group encryption key distribution method” in Japanese Patent Application No. 2001-061724. The BD method will be briefly described below.

The number of members is n, and the prime number p is modulo,
The base is an integer α that satisfies the condition (2 ≦ α <p−1),
When the secret random number of members M _i and _{R i, Z i = α ^} R i modp X i = (Z i + 1 / Z i-1) ^ R i modp become terminal information Z _i and member information X _i To member M _i
To calculate. Send these to all other members. Each member M _i uses the terminal information Z _i and the member information X _i to set the shared key K _n as K _n (M _i ) = Z _i−1 ^ (n · R _i ) · X _i ^ ( n-1) ・ X _{i + 1} ^ (n-
2) ···· Calculate and share with X _i-2 modp. A terminal information Z _i-1 of the previous one member M _i members M _i-1, and member information X _i of members M _i, members M _i of the following members M _{i + 1} of the member information X _{i + 1} and,..., by using the two in front of the members M _i-2 of member information X _i-2 of the members M _i, to calculate the shared key.

When there is a change such as deletion of a group member or addition of a new member to the group, information according to the number of deleted or added members may be transmitted. The update of the group encryption key using a transmission line with a low transmission rate such as mobile communication is effective in that the transmission time is shortened.

[0005]

However, the above-mentioned conventional B
In the D method, when the number of members in the entire group is large, it takes a long time to calculate the shared key. There is a problem that it takes time to share the group key when the group changes, such as deleting or adding members, and quick group key update is not possible.

When a plurality of groups are fused,
There is a problem in that there are many communication procedures such that terminal information must be sent to each member, a specific member must calculate the member information, and the calculated member information must be sent to each member. In addition, since the number of members increases in the case of merging, the calculation time of the shared key may take a long time.

An object of the present invention is to solve the above-mentioned conventional problems and to promptly update the group key when the group configuration is changed.

[0008]

In order to solve the above problems, according to the present invention, a base station of a mobile communication dynamic secure grouping system composed of a base station and a plurality of terminals is provided with one group and a plurality of virtual terminals. Of sub-groups, a method of generating a sub-group encryption key to be given to the sub-group, and a dummy member that is a virtual member and the actual members that make up the sub-group are arranged alternately. A means for forming a sandwiched array, a means for encrypting the group encryption key with a subgroup encryption key and delivering it to the actual members of the group, a means for performing group communication using the group encryption key, and an updated group encryption key By selecting the real members to deliver, you can remove the real members from the group and add real members to the group. Means, a means for dividing a group, and a means for merging a plurality of groups, wherein a real member belonging to the subgroup calculates a subgroup encryption key in the terminal, and the terminal is encrypted with the subgroup encryption key. And a means for decrypting the group encryption key.

With this configuration, the group key can be quickly updated when the group configuration is changed.

[0010]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described in detail below with reference to FIGS.

(Embodiment) In the embodiment of the present invention, a group is divided into a plurality of subgroups, the subgroup encryption key is shared by members belonging to the subgroup by the BD method, and the group encryption key is the subgroup encryption key. It is a mobile communication dynamic secure grouping method in which members belonging to a group obtain the group encryption key after being encrypted and delivered by the group.

FIG. 1 is a conceptual diagram for explaining the principle of the mobile communication dynamic secure grouping system according to the embodiment of the present invention. FIG. 1A is a tree structure diagram showing the relationship among groups, subgroups, and members. Figure 1
(B) is a tree structure diagram showing the relationship between addition and deletion of members. FIG. 1C is a tree structure diagram showing a group division method.

FIG. 2 is a block diagram showing the configuration of the mobile communication dynamic secure grouping system according to the embodiment of the present invention. In FIG. 2, the base station 1 is a fixed wireless base station. The terminals T ₁ , T ₂ , ..., T _n are n terminals. FIG. 3 is a block diagram of the base station. In FIG. 3, the transmission / reception unit 11 is a part that demodulates the received radio wave signal into a baseband signal, modulates the baseband signal, and transmits the baseband signal as a radio wave signal. Control unit 12
Is a device that controls the devices of the entire base station. Arithmetic unit 13
Is an apparatus for calculating various parameters. Storage unit 14
Is a device for storing various values necessary for generating an encryption key.

FIG. 4 is a block diagram showing the configuration of a mobile communication dynamic secure grouping terminal according to the embodiment of the present invention. In FIG. 4, the transmitting / receiving unit 21
Is a part that demodulates the received radio wave signal into a baseband signal and modulates the baseband signal to transmit as a radio wave signal. The control unit 22 is a device that controls the entire terminal. The calculation unit 23 is a device that calculates various parameters. The storage unit 24 is a device that stores various values required for encryption key generation.

FIG. 5 is a diagram showing terminal information registered in the base station storage unit of the mobile communication dynamic secure grouping system. FIG. 6 is a diagram showing subgroup random numbers, terminal information, and member information stored in the base station storage unit. FIG. 7 is a diagram showing a storage state of the terminal storage unit. FIG. 8 is a diagram showing a method of deleting a member from a subgroup. FIG. 9 is a diagram showing a method of adding a member to a subgroup. FIG. 10 is a diagram showing a method for adding members to a group. FIG. 11 is a diagram showing a method for adding members to a group. Figure 12
FIG. 6 is a diagram showing a state of a terminal storage unit. FIG. 13 is a diagram showing a state of the base station storage unit. FIG. 14 is a diagram of the terminal storage unit at the time of group division.

The operation of the mobile communication dynamic secure grouping system in the embodiment of the present invention configured as described above will be described. First, the concept will be explained. As shown in FIG. 1A, groups, subgroups, and members can be represented by a tree structure. Each member is put together as a virtually provided subgroup. A subgroup encryption key SGK _i is given to the subgroup. Subgroups are organized into actual groups. A group encryption key GK is assigned to the group. All members belonging to the group share the group encryption key GK.

Each member of the subgroup calculates and shares the subgroup encryption key SGK _i by the BD method. The base station 1 generates a group encryption key and encrypts it with the subgroup encryption key SGK _i to generate a ciphertext SGK _i (GK),
Deliver to each member. Each member decrypts the ciphertext SGK _i (GK) using the subgroup encryption key SGK _i to obtain the group key GK.

To change a group, members who have already formed a group are removed from the group, members are newly added to the group, groups are merged with each other, and one group is merged. Is divided into a plurality of groups.

As shown in FIG. 1B, when a member is deleted or added, the group encryption key is changed from GK to GK '. The subgroup encryption key SGK _i of the subgroup to which the member to be deleted or added belongs is changed by the BD method to be SGK _i ′. There is no deletion of members or modification of subgroup encryption keys for subgroups without addition. The group encryption key GK ′ is encrypted with each subgroup encryption key and delivered.

Each member decrypts the received ciphertext with the subgroup key to obtain the group encryption key GK '. When the groups are merged, the group encryption key GK ′ after the fusion is generated, and the new group encryption key GK ′ is encrypted and delivered using each old group encryption key before the group fusion. Each member decrypts the ciphertext using each old group encryption key to obtain a new group encryption key GK '.

As shown in FIG. 1C, in the case of group division, the subgroup encryption key of the subgroup including the divided members is changed by the BD method. The group encryption key of the divided group is encrypted with the subgroup encryption key and delivered. Each member decrypts this with their respective subgroup encryption key to obtain the group encryption key.

Second, the functions of the base station and the terminal of the mobile communication dynamic secure grouping system according to the embodiment of the present invention will be described with reference to FIGS. The transceiver 11 of the base station 1 demodulates the received radio wave signal into a baseband signal, modulates the baseband signal, and transmits the baseband signal as a radio wave signal. The control unit 12 controls the devices of the entire base station. The calculation unit 13 calculates various parameters. The storage unit 14 stores various values required for encryption key generation. The transmitter / receiver 21 of the terminal demodulates the received radio wave signal into a baseband signal, modulates the baseband signal, and transmits the baseband signal as a radio wave signal. Control unit
22 controls the entire terminal. The calculation unit 23 calculates various parameters. The storage unit 24 stores various values required for encryption key generation.

Communication from the base station 1 to each terminal is carried out by broadcast communication, and each terminal can receive at the same time. Communication from the terminal to the base station is performed individually. Communication between terminals is individually performed via the base station 1. The base station 1 is installed so that transmission / reception with a terminal is surely performed, and the majority of terminals and the base station 1 can always communicate with each other. The transmission power of the base station 1 is higher than the transmission power of the terminal, and even if the transmission signal of the terminal does not reach the base station 1, the transmission signal of the base station 1 has a high probability of reaching the terminal.

Third, a method of forming a group by the BD method will be described. The base station 1 is a calculation unit that uses a prime number p and (2 ≦ α
<P-1) is generated and is transmitted to each terminal via the wireless unit. Each terminal generates a terminal secret random number R in each calculation section, calculates terminal information Z, stores it in the storage section, and transmits it to the base station 1 by a secure method.
The terminal information Z is (α ^ R modp). As an example of a method of sending the terminal information Z to the base station in a secure manner, the public key of the public key system is made public at the base station, and each terminal encrypts the terminal information Z with this public key and sends it to the base station. There is a way to send Z.

As shown in FIG. 5, terminal information Z of each terminal
Are stored in the storage unit of the base station 1. For terminals,
The terminal information Z is stored. A group can be formed by any one of the _n terminals T _{1 to} T _n .
Here, a case will be described where eight terminals form a group having a group ID G ₀ . The members of eight terminals are M ₁ , M ₂ , M ₃ , M ₄ , M ₅ , M ₆ , M ₇ , and M ₈ . This group consists of two subgroups. The members M ₁ , M ₂ , M ₃ and M ₄ are one subgroup, and the subgroup ID is SG ₁ . Also, the members M ₅ , M ₆ , M ₇ ,
Subgroup ID with M ₈ as another subgroup
Is SG ₂ . Members M ₁ , M ₂ , M ₃ , M ₄ , M ₅ , M ₆ ,
The terminal information Z of M ₇ and M ₈ is set to Z ₁ , Z ₂ , Z ₃ , Z ₄ ,
Let Z ₅ , Z ₆ , Z ₇ , and Z ₈ .

The base station 1 sets dummy members D ₁ , D ₂ , D ₃ and D ₄ as virtual members for the subgroup SG ₁ and stores them in the storage unit. At this time, the control unit, the members of the _{subgroup, D 1 -M 1 -D 2 -M} 2 -D 3
Arranged in order of -M ₃ -D ₄ -M _4, and stores them in the storage unit. Random numbers are generated for the dummy D ₁ , D ₂ , D ₃ , and D ₄ by the arithmetic unit, and stored in the storage unit as R _d1 , R _d2 , R _d3 , and R _d4 , respectively. Further, the terminal information Z _d1 of the dummy D ₁ is calculated and stored in the storage unit. Similarly, the terminal information Z _d2 , Z _d3 , Z _d4 of the dummy D ₂ , D ₃ , D ₄ is calculated,
It is stored in the storage unit of the base station.

The member information X of the dummies D _{1 to} D ₄ is X _d1 , X _d2 , X _d3 , and X _d4 , respectively. Dummy member information X _d1 = (Z ₁ / Z ₄ ) ^ R _d1 modp X _d2 = (Z ₂ / Z ₁ is used by using the already stored terminal information Z _{1 to} Z ₄ of the members M _{1 to} M _4. ) ^ R _d2 modp X _d3 = (Z ₃ / Z ₂ ) ^ R _d3 modp X _d4 = (Z ₄ / Z ₃ ) ^ R _d4 modp. These calculation results are stored in the storage unit of the base station.

The constituent information D ₁ -M ₁ -D ₂ -M ₂ -D ₃ -M ₃ -D ₄ -M ₄ of the members of the subgroup SG ₁ and the terminal information Z _d1 , Z _d2 , Z _d3 , Z _d4. However, through the radio part of the base station,
Broadcast is sent to all terminals.

[0029] Of the members of the sub-group that received this
The terminal determines the subgroup structure and
Know the line order and the dummy terminal information Z.
It is stored in the storage unit of the terminal. Subgroup member terminals
From the terminal information Z of the members before and after himself,
Calculate information X. Member M₁Is a member M₁In front of
Dummy D₁Terminal information Z_d1And the later dummy D₂Device information
Z_d2Member information using X₁= (Z_d2/ Z_d1) ^ R₁ modp To calculate. Similarly, member M₂Is member information
X₂Calculate and Member M ₃Is member information X₃Calculate
And member M_FourIs member information X_FourAnd calculate
It is stored in the storage unit of each terminal. Member calculated by the terminal
The information X is sent to the base station 1 via the wireless unit. base station
1 is member information X sent from the member's terminal
Is verified and stored in the storage unit of the base station 1. Base station memory
The state of information of the copy is shown in FIG.

The control unit of the base station transmits the dummy member information X _{d1 to} X _d4 and the member information X _{1 to} X ₄ of the members stored in the storage unit to the terminal via the transmitting / receiving unit. The member terminal which receives this stores the member information X _{d1 to} X _d4 and X _{1 to} X ₄ sent from the base station 1 in the storage unit of the terminal. This stored state is shown in FIG.

Using these information, the member's terminal
Computes the shared key. That is, member M_iShared key
Is a member M_iThe dummy D one before_iTerminal information Z
_diAnd member M_iMember Information X_iAnd member M_i
Next dummy D_{i + 1}Member Information X _{di + 1}When,···,
Member M_i-2Member Information X_i-2Is calculated using and
It

The shared key of the member M ₃ is calculated as follows: K ₈ (M ₃ ) = Z _d3 ^ (8 · R ₃ ) · X ₃ ^ 7 · X _d4 ^ 6 · X ₄ ^ 5 · X _d1 ^ 4 · X ₁ ^ 3 · X _d2 ^ 2 · X ₂ modp = α ^ (R _d3 · R ₃ + R ₃ · R _d4 + R _d4 · R ₄ + R ₄ · R _d1 + R _d1 · R ₁ + R ₁ · R _d2 + R _d2 · R ₂ + R ₂ · R _d3 ) modp. However, X ₁ = (Z _d2 / Z _d1 ) ^ R ₁ modp X ₂ = (Z _d3 / Z _d2 ) ^ R ₂ modp X ₃ = (Z _d4 / Z _d3 ) ^ R ₃ mod p X ₄ = (Z _{d1 / Z d4) ^ R 4} modp X d1 = (Z 1 / Z 4) ^ R d1 modp X d2 = (Z 2 / Z 1) ^ R d2 modp X d3 = (Z 3 / Z 2) ^ R d3 modp X _d4 = (Z ₄ / Z ₃ ) ^ R _d4 modp Z ₁ = α ^ R ₁ modp Z ₂ = α ^ R ₂ modp Z ₃ = α ^ R ₃ modp Z ₄ = α ^ R ₄ modp Z _d1 = α ^ R _d1 modp Z _d2 = α ^ R _d2 modp Z _d3 = α ^ R _d3 modp Z _d4 = α ^ R _d4 modp. This calculation result shows that the members of the subgroup SG ₁ and the virtual dummy members of the base station have the same value, and the shared key is shared. This key is the subgroup key SG.
Let K ₁ .

Subgroup SG₁Is a dummy D₁~ D
_FourAnd member M₁~ M_FourComprised of the base station storage
The stored contents of the table are as shown in FIG. Dummies and members
-D ₁-M₁-D₂-M₂-D₃-M₃-D_Four-M_FourOrder of
It is named after. Random number for dummy and terminal information
Z and member information X are respectively generated, and from the terminal
It is stored as shown in Fig. 6 along with the information sent.
It

On the other hand, in the member's terminal, it is stored as shown in FIG. The random number of the corresponding member (in FIG. 7, since the terminal storage unit of the member M ₃ is shown, the random number R ₃ ) is stored. Further, the terminal information Z sent from the base station and the member information X _{d1 to} X _d4 and X _{1 to} X ₄ sent from the base station are stored as shown in FIG. 7. Further, the subgroup key SGK ₂ is similarly shared by each member of the other subgroups SG ₂ .

The base station 1 generates a group encryption key GK ₁ with SGK ₁ and SGK ₂ added to the members of the subgroups SG ₁ and SG ₂ . The group key may be a common key type key, or may be a public key type public key and a private key. Here, this key is designated as GK ₁ c as a key of the common key system. This GK ₁ c is encrypted with the subgroup shared keys SGK ₁ and SGK ₂ , and S
Let GK ₁ (GK ₁ c) and SGK ₂ (GK ₁ c). These encrypted signals are continuously delivered to each member. Each member decrypts GK ₁ c using the subgroup encryption key of the subgroup to which it belongs.

The base station 1 verifies the member information X and requests the terminal of the member who has sent the incorrect member information X to retransmit. When the correct member information X cannot be obtained even by resending, the base station 1 recalculates the dummy member information X before and after the member, and sends the recalculated dummy member information X to each member.

A method of verifying the member information X _i will be described.
A verification method in the case of forming a group with n terminals will be described. Random number R _i of each terminal, terminal information Z _i , member information X _i and dummy random number R _di , terminal information Z _di ,
Member information X _di is as follows.

Terminal ID random number terminal information member information D ₁ R _d1 Z _d1 = α ^ R _d1 modp X _d1 = (Z ₁ / Z _n ) ^ R _d1 modp M ₁ R ₁ Z ₁ = α ^ R ₁ modp X _{1 = (Z d2 / Z d1)} ^ R 1 modp:::: D i R di Z di = α ^ R di modp X di = (Z i / Z i-1) ^ R di modp M i R i Z i = Α ^ R _i modp X _i = (Z _{di + 1} / Z _di ) ^ R _i modp D _{i + 1} R _{di + 1} Z _{di + 1} = α ^ R _{di + 1} modp X _{di + 1} = (Z _{i +1} / Z _i ) ^ R _{di + 1} mod p: :: :: D _n R _dn Z _dn = α ^ R _dn modp X _dn = (Z _n / Z _n-1 ) ^ R _dn modp M _n R _n Z _n = α ^ R _n modp X _n = (Z _d1 / Z _dn ) ^ R _n modp

The base station 1 verifies the member information X _i of the terminal M _i . The base station 1 recalculates the dummy member information X _di , X _{di + 1} using the already stored key sharing data to obtain the member information X _di ′, X _{di + 1} ′.

D _i R _di Z _di = α ^ R _di modp X _di '
= (Z _i / Z _{di + 1} ) ^ R _di modp M _i R _i Z _i = α ^ R _i modp X _i = (Z _{di + 1} / Z _di ) ^
R _i modp D _{i + 1} R _{di + 1} Z _{di + 1} = α ^ R _{di + 1} modp X _{di + 1} '=
(Z _di / Z _i ) ^ R _{di + 1} modp

Shared keys k _di ', k _{di + 1} ' of the dummy D _i , D _{i + 1}
To calculate. When the member information X _i is correct, the group key is k _di ′ = k _{di + 1} ′. However, if the member information X _i is different, this relationship does not always hold, so that the member information X can be verified.

A method for deleting a member will be described. First, change the subgroup key of the subgroup to which the member to be deleted belongs. The dummy member information X before and after the member to be deleted is calculated and transmitted. Change the group key and encrypt the group key with the subgroup key. Send the encrypted group key. The operation will be described by taking the case where the member M ₂ is deleted as an example. Members M ₂ is, because it belongs to the sub-group SG _1, first, to change the shared key SGK ₁ of the sub-group SG _1. The base station uses the member information X of the dummy member D _2.
Is calculated by deleting the member M ₂ . This is member information X _d2 '. Also, the member information X of the dummy D ₃ is calculated and the member information X _d3 'is obtained. Member information X _d2 '
And X _d3 ′ become X _d2 ′ = (Z _d3 / Z ₁ ) ^ R _d2 modp X _d3 ′ = (Z ₃ / Z _d2 ) ^ R _d3 mod p. This is stored in the base station storage unit and the member information X _d2 'and X _d3 ' is transmitted to each terminal. The state of the storage unit of the base station is shown in FIG. The parenthesized M ₂ , Z ₂ , and X ₂ indicate that the member M ₂ has been deleted.

When the shared key after deleting the member M _{2 is} calculated for the member M ₃ , K ₇ (M ₃ ) = Z _d3 ^ (7 · R ₃ ) · X ₃ ^ 6 · X _d4 ^ 5 · X ₄ ^ _{4 · X d1 ^ 3 · X} 1 ^ 2 · X d2 'modp = α ^ (R d3 · R 3 + R 3 · R d4 + R d4 · R 4 + R 4 · R d1 + R d1 · R 1 + R 1 · R d2 + R _d2 · R _d3 ) mod p. In this way, the subgroup shared key excluding the member M ₂ is shared. Let this key be SGK ₁ '.

[0044] In addition, the base station 1, to generate a new group key GK ₁ 'to replace the group key GK _1. Encrypt the group key GK ₁ 'using the subgroup key SGK ₁ ',
Send it out as SGK ₁ '(GK ₁ '). Subgroup SG ₂
Since there is no change in the members of subgroup key SG
There is no change in K ₂ . The group key GK ₁ 'is encrypted using the subgroup key SGK ₂ , and the ciphertext SGK ₂ (GK ₁ ')
As a member. Also in subgroup SG ₂ ,
Subgroup SG if any members are deleted
_The subgroup key is changed in the same way as in 1.

Each member receiving SGK ₁ '(GK ₁ ') and SGK ₂ (GK ₁ ') uses their shared key to
This is decrypted to obtain the group key GK ₁ ′.

A method for adding members will be described. Two dummy terminal information Z sandwiching the additional member is sent to the additional member. The added member receiving the terminal information Z calculates the member information X from the two terminal information Z and sends it to the base station. The base station verifies the member information X and, if correct, delivers it to each terminal.

The base station generates a dummy and sends this dummy terminal information Z and the next dummy terminal information Z. When the member M _a is added to the subgroup SG ₁ , a dummy D _a is generated, a random number R _da is generated, and terminal information Z _a = α ^ R _da modp is calculated and sent. The additional terminal M _a calculates member information X _a = (Z _d1 / Z _da ) ^ R _a modp and sends it to the base station. The base station has member information X _a
Is verified and stored in the base station storage unit. This stored state is shown in FIG. The base station broadcasts member information X of the members of the subgroup. Note that the terminal information Z of the member to be sent first may be dummy terminal information Z _d before and after the added terminal.

At this time, the shared key K ₁₀ (M ₀ ) is K ₁₀ (M _a ) = Z _da ^ (10 · R _a ) · X _a ^ 9 · X _d1 ^ 8 · X ₁ ^ 7 · X _{d2 ^ 6 · X 2 ^ 5 ·} X d3 ^ 4 · X 3 ^ 3 · X d4 ^ 2 · X 4 modp = α ^ (R da · R a + R a · R d1 + R d1 · R 1 + R 1 · R d2 + R _d2 · R ₂ + R ₂ · R _d3 + R _d3 · R ₃ + R ₃ · R _d4 + R _d4 · R ₄ + R ₄ · R _da ) mod p.

The subgroup key of the subgroup SG ₁ thus shared is SGK ₃ . The base station generates a group key GK ₂ . The group key GK ₂ and the subgroup key SGK ₃ of the newly shared subgroup SG ₁ ,
Using the subgroup key SGK ₂ of the subgroup SG ₂ for which no member has been added, encryption is performed and SGK ₃ (GK
₂ ), SGK ₂ (GK ₂ ) and deliver to each member.
Each member decrypts this using their respective subgroup keys to obtain the group key GK ₂ .

A method of group fusion will be described. When multiple groups are merged, create a new group key and use the group key that each group already has,
Encrypt the newly created group key and send it. Two
It is assumed that the group encryption keys of one group G ₁ and group G ₂ are GK ₁ and GK ₂ , respectively. The base station generates the group encryption key GK ₃ after fusion. The base station, the GK _3, Group G ₁ group encryption key GK ₁
And encrypt with the group encryption key GK ₂ of the group G ₂ ,
GK ₁ (GK ₃ ) and GK ₂ (GK ₃ ) are sent to each member in succession. Each member decrypts with the respective group encryption keys GK ₁ and GK ₂ to obtain GK ₃ .

A method of group division will be described. Group G _0, the group G ₀ and the group ID is described a case of dividing into two groups G ₁ (hereinafter referred to as group G _1). When the subgroups SG ₁ and SG ₂ are respectively divided and the divided subgroups are merged to form a divided group, only one of the subgroups is divided and the other subgroup is divided. The group may be divided without being divided. When sub-groups that are not divided and sub-groups that are divided are merged, the sub-groups may become groups as they are. Also in this case, the group encryption key is delivered.

The control unit of the base station copies the subgroup SG ₁ to form the subgroup SG ₂ and stores it in the storage unit of the base station. Subgroup SG ₂ is subgroup SG ₁
Is the same as the member of the above, and only the subgroup ID is different. FIG. 11 shows the state stored in the storage unit of the base station for four members. At the same time, the control unit of the base station transmits the subgroup SG ₁
For members belonging to the issues the information to make the SG ₂ by copying the SG _1. According to this information, the terminal copies the information of the subgroup SG ₁ held by the terminal to form the subgroup SG ₂ and stores it in the storage unit of the terminal. FIG. 12 shows the state of the terminal storage unit of the member M ₃ .

Subsequently, the base station determines that the subgroup SG₁To
On the other hand, after dividing the group members and their arrangement, new
Member information based on subgroup members X_diSend '
Believe. Subgroup SG₁And member M₁, M₂,
M₃, M_FourMember M from the lined up with₁And M₃And one
Subgroup SG₂Divide into
If so, the subgroup SG after division₂Group distribution
Row is D₁-D₂-M₂-D ₃-D_Four-M_FourBecomes member
M₁And member M₂Was omitted, and it was omitted because the array was different
The dummy member information X before and after the member is different. This
Here, D₁, D₂, D₃, D_FourMember information X has different values
I will calculate, so I will calculate. The calculation results are
Information X_d1', X_d2', X_d3', X_d4'As the base station
Store in the storage unit. Each calculation is calculated by the following formula.
Calculated. X_d1'= (Z_d2/ Z_Four) ^ R_d1 modp X_d2'= (Z₂/ Z_d1) ^ R_d1 modp X_d3'= (Z_d4/ Z₂) ^ R_d1 modp X_d4'= (Z_Four/ Z_d3) ^ R_d1 modp

Member information X _d1 ', X calculated in this way
_{The d2} ', X _d3 ', X _d4 'are stored and sent to the terminal via the transceiver of the base station. FIG. 13 shows the state stored in the storage unit of the base station. Subgroup SG _{1 of} FIG. 13
Indicates the numerical value of the new subgroup SG ₁ . The information sent from the base station is stored in the storage unit of the terminal. The members M ₂ and M ₄ receiving this use these values to calculate the shared key.

Shared key K ₆ (M ₂ ) for member M ₂
K ₆ (M ₂ ) = Z _d2 ^ (6 · R ₂ ) · X ₂ ^ 5 · X _d3 '^ 4 · X _d4 ' ^ 3 · X ₄ ^ 2 · X _d1 'modp = α ^ (R _d1 · R ₁ + R ₁ · R _d2 + R _d2 · R _d3 + R _d3 · R ₂ + R ₃ · R _d4 + R _d4 · R _d1 ) modp. However, X ₂ = (Z _d3 / Z _d2 ) ^ R ₂ modp X ₄ = (Z _d1 / Z _d4 ) ^ R ₄ modp Z _d1 = α ^ R _d1 modp Z _d2 = α ^ R _d2 modp Z _d3 = α ^ R _d3 modp Z _d4 = α ^ R _d4 mod p.

Also, one of the copied subgroups S
For G ₂ , the group member sequences of the members that are in conflict with the group G ₀ and the member information X _di "are calculated and transmitted. In order to delete the members M ₂ and M ₄ ,
The member information X before and after the member M ₂ and the member M ₄ is changed.

[0057] The member information X _d2 in front of the dummy D ₂ of the members M _{2 "and, X d2" X d2 = (} Z d3 / Z 1) ^ to calculate the R _d2 modp. Further, the member information X _d3 of the dummy D ₃ after the member M _{2 "as, X d3" X d3 = (} Z 3 / Z d2) ^ to calculate the R _d3 modp. Similarly, the member information X _d4 of the member M ₄ is calculated as X _d4 ", and the member information X _d1 is calculated as X _d1 ". X _d4 "= (Z _d1 / Z ₃ ) ^ R _d4 modp X _d1 " = (Z ₁ / Z _d4 ) ^ R _d1 modp

In this way, the value calculated by the base station calculation unit is stored in the storage unit of the base station. This state is shown in the group G1 in FIG. The control unit of the base station uses the member information X _d1 ", X _d2 ", X _d3 ", X _d4 " and the array information D ₁ −.
The _{M 1 -D 2 -D 3 -M 3} -D 4, sent to the members via the transceiver. The terminal of the member who receives the information stores this information in the storage unit. It is stored in the storage unit of the terminal of the member M ₃ as shown in FIG.

The corresponding members M ₁ and M ₃ use each numerical value to calculate the shared key. _{K 6 (M 1) = Z} d1 ^ (6 · R 1) · X 1 ^ 5 · X d2 "^ 4 · X d3" ^ 3 · X 3 ^ 2 · X d4 "modp = α ^ (R d2 · R ₂ + R ₂ · R _d3 + R _d3 · R _d4 + R _d4 · R ₄ + R ₄ · R _d1 + R _d1 · R _d2 ) modp K ₆ (M ₃ ) = Z _d3 ^ (6 · R ₃ ) · X ₃ ^ 5・ X _d4 "^ 4 ・ X _d1 " ^ 3 ・ X ₁ ^ 2 ・ X _d2 "mod p When this is calculated, it becomes equal to K ₆ (M ₁ ).

The members M ₁ and M ₃ also have the shared key, and the members M ₁ and M ₃ become one group. One of the members M ₂ and M ₄ is also a subgroup, and the subgroup SG ₁ is the subgroup S of the new member.
It is divided into G ₁ and a new subgroup SG ₂ .

If all the division information is encrypted by the subgroup key shared by the SG ₁ before the division and sent, only the subgroup members involved in this division share the information regarding the division, More secure. This subgroup key may be a shared key shared by the BD method, or may be a public key system key or a common key system key exchanged using this shared key.

Although the number of members of the sub-group has been described above as four, the number of members is not limited to four. It shows the case where every other member is divided. However, when dividing a continuous member into another subgroup, the dummy member information X before and after the continuous member may be changed. Also, although it has been shown that the subgroup is divided into two, the number of divisions can be freely set if there are members to be divided. That is, the number of subgroups smaller than the number of subgroups to be divided by one is copied, and a new group ID is set. It is sufficient to recalculate the member information X before and after the member leaving each and send it out.

[0063] and a sub-group in this way, which is divided into sub-groups SG ₁ and the sub-group SG _2, by using a shared key in the sub-group SG ₂ that has not been split, the group key GK ₂ and GK ₃ the base station has occurred Each is dealt and the group is divided. For example, to create a group G ₂ at the SG ₁ and the sub-group SG _2, when making group G ₃ in SG _3, using the sub-group SG ₁ and each of the sub-group key SGK ₁ and SGK ₂ of the sub-group SG ₂ the group key GK ₂ groups G ₂ delivered by encrypting the group key GK ₃ groups G ₃ and delivered encrypted subgroups key subgroup key SG _3, each group to obtain the group key , Group division is completed.

The method of using the BD method as the method of sharing the subgroup encryption key of the subgroup has been described. It is possible to make this BD method elliptical. The ellipse BD method will be briefly described. For details, refer to the textbook on elliptic curve cryptography. The base station uses the finite field F and the finite field F as public information.
The upper elliptic curve C and the point B on the elliptic curve C are published. The base station sets a dummy D, generates a random number R _d , calculates terminal information Z _d = B · R _{d of} the dummy D (calculation of an integer multiple of the point on the elliptic curve C), and distributes it to the terminal. To do.

The member M _i generates a random number R _i, and from the dummy terminal information Z _di and Z _{di + 1} before and after the member, member information X _i = R _i · (Z _{di + 1} −Z _di ). (Calculation of integral multiple of difference between points on elliptic curve C) is calculated, and member information X _i is sent to the base station. Terminal information Z _i = B · R _i (integer multiple calculation of points on elliptic curve C) is calculated and sent to the base station. The base station sends all member information {X _i } to each terminal. The dummy member information is calculated from the terminal information of the member, and the dummy member information {X _di } is transmitted to each terminal.

The member M _i is: K _2n = 2n · R _i · Z _di + (2n−1) · X _i + (2n−
2) ・ X _{di + 1} + (2n-3) ・ X _{i + 1} + ...
X _i-1 (calculation of points on the elliptic curve C) is calculated to share the shared key K _2n . Since there are a plurality of subgroups in the group, the same operation is performed for each subgroup. The base station generates a group key KG, encrypts it with the subgroup key, and delivers the group key KG to each member.

A method of deleting and adding a terminal will be described. The subgroup key of the subgroup in which the terminal has been deleted and added is updated by the elliptic dummy BD method. Generate a new group key at the base station. The generated new group key is encrypted with the updated subgroup key and delivered. As a key length for ensuring sufficient cryptographic strength in the BD method,
1024 bits are required, but if elliptical, about 160 bits is sufficient to secure the same level of encryption strength. By making the oval, it is possible to reduce the amount of group change information by 80% or more compared to the case where the oval is not made.

In the group having the group encryption key as described above, when performing communication for sending and receiving messages and data, the transmitting terminal or the transmitting base station generates a random number and encrypts the message or data with the random number.
Encrypt the random numbers with the group encryption key and send them out.

As described above, according to the embodiment of the present invention,
In the mobile communication dynamic secure grouping method, the group is divided into a plurality of subgroups, the subgroup encryption key is shared by the members belonging to the subgroup by the BD method, and the group encryption key is encrypted by the subgroup encryption key and delivered. Since the member belonging to the group acquires the group encryption key, the group key can be promptly updated when the group structure is changed.

[0070]

As is apparent from the above description, according to the present invention, one group is provided in a base station of a mobile communication dynamic secure grouping system composed of a base station and a plurality of terminals, and a plurality of virtual subgroups. , A means for generating a subgroup encryption key to be assigned to a subgroup, and a real member that constitutes the subgroup and a dummy member that is virtually provided are alternately arranged to form an array in which the real members are sandwiched by the dummy members. Means, a means for encrypting the group encryption key with a sub-group encryption key and delivering it to the actual members of the group, a means for performing group communication using the group encryption key, and a real member delivering the updated group encryption key. Select to delete a real member from the group, add a real member to the group, and Group for dividing the group, and means for merging a plurality of groups, means for calculating the subgroup encryption key by a real member belonging to the subgroup in the terminal, and a group encrypted with the subgroup encryption key. Since the configuration is provided with the means for decrypting the encryption key, it is possible to quickly update the group key when the configuration of the group is changed.

Even when the group members are added or deleted in the mobile communication system or when the groups are divided and fused, the calculation time of the encryption key of the BD method can be reduced and the group encryption key can be quickly processed even if there are many members. Can be updated.

[Brief description of drawings]

FIG. 1 is a diagram showing a relationship between groups, subgroups, and members in a mobile communication dynamic secure grouping system according to an embodiment of the present invention,

FIG. 2 is a block diagram of a mobile communication dynamic secure grouping system according to an embodiment of the present invention,

FIG. 3 is a block diagram of a mobile communication dynamic secure grouping base station according to an embodiment of the present invention;

FIG. 4 is a block diagram of a mobile communication dynamic secure grouping terminal according to the embodiment of the present invention;

FIG. 5 is a diagram showing terminal information registered in a base station storage unit of a mobile communication dynamic secure grouping system according to an embodiment of the present invention,

FIG. 6 is a diagram showing subgroup random numbers, terminal information, and member information stored in a base station storage unit of a mobile communication dynamic secure grouping system according to an embodiment of the present invention;

FIG. 7 is a diagram showing a storage state of a terminal storage unit of a mobile communication dynamic secure grouping system according to an embodiment of the present invention,

FIG. 8 is a diagram showing a method of deleting a member from a subgroup of a mobile communication dynamic secure grouping system according to an embodiment of the present invention;

FIG. 9 is a diagram showing a method for adding members to a subgroup of a mobile communication dynamic secure grouping method according to an embodiment of the present invention;

FIG. 10 is a diagram showing a method for adding members to a group of the mobile communication dynamic secure grouping system according to the embodiment of the present invention;

FIG. 11 is a diagram showing a state of a base station storage unit of a mobile communication dynamic secure grouping system according to an embodiment of the present invention,

FIG. 12 is a diagram showing a state of a terminal storage unit of a mobile communication dynamic secure grouping system according to an embodiment of the present invention,

FIG. 13 is a diagram showing a state of a base station storage unit of a mobile communication dynamic secure grouping system according to an embodiment of the present invention,

FIG. 14 is a diagram of a terminal storage unit at the time of group division in the mobile communication dynamic secure grouping system according to the embodiment of the present invention.

[Explanation of symbols]

1 base station T _{1 to} T _n terminal 11,21 transmitting / receiving unit 12,22 control unit 13,23 arithmetic unit 14,24 storage unit

Continued front page    F-term (reference) 5J104 AA16 BA03 EA04 EA18 NA02                       PA01                 5K067 AA13 AA33 BB04 BB21 DD17                       EE02 EE10 EE22 FF02 HH21                       HH22 HH24

Claims (4)

[Claims] 1. A mobile communication dynamic secure grouping system comprising a base station and a plurality of terminals,
In the base station, a means for dividing one group into a plurality of virtual subgroups, a means for generating a subgroup encryption key assigned to the subgroup, and a dummy provided virtually with real members forming the subgroup A means for forming an array in which the members are alternately arranged to sandwich the real members between the dummy members, a means for encrypting the group encryption key with the subgroup encryption key and delivering it to the actual members of the group, and a group for using the group encryption key. A means for performing communication, a means for deleting a real member from the group by selecting a real member for delivering the updated group encryption key, a means for adding a real member to the group, a means for dividing the group, and a plurality of means. Means for merging the groups of the above, and the actual members belonging to the subgroup calculate the subgroup encryption key in the terminal. That means a mobile communication dynamic secure grouping method is characterized in that a means for decoding a group encryption key encrypted by sub-group encryption key. 2. The dynamic secure grouping system according to claim 1, wherein the group encryption key is composed of a common secret key system key. 3. One group is divided into a plurality of virtual subgroups, and real members forming the subgroups and dummy members provided virtually are alternately arranged to sandwich the real members between dummy members. The sub-group encryption key is calculated based on the group configuration information, the real members belonging to the sub-group share the sub-group encryption key, the group encryption key is encrypted with the sub-group encryption key, and the base station actual members Group communication by using the group encryption key and updating the group encryption key, deleting the actual members of the group, adding the actual members of the group, dividing the group, and A mobile communication dynamic secure grouping method characterized by performing fusion. 4. The dynamic secure grouping method according to claim 3, wherein the group encryption key is a key of a common secret key system.